I've been giving some thought to how to structure my bank's ITPP. Currently, I am going to split it up by lines of business then, within each business line, identify "categories" of red flags (not all 26 or however many we end up identifying)and then note is broad fashion how the bank will address those categories. Then, as Appendices, I will refer to each Red Flag identified for a line of business, but will not include those as part of the Board-approved document. This way, procedural changes can take place at the appendix level which would not require Board approval.

What type of "framework" are others using to structure the Board-approved portion of your ITPP? Do I need to include the appendices in the Board-approved portion, or is that too much detail? Thoughts?

The way the regulations and guidance are set up, only the initial program has to be approved by the Board. Changes to the Program can be made by a senior management employee.

That's right, i had forgotten that fact.

I guess my main concern is how detailed to get in the initial program. At what point does the Board (any Board) say, "Why are you giving us all this detailed stuff!"?

I am using the spreadsheet tool found on BOL as the mainstay of our program. Since each tab is a product, that is a logical place to also document the written procedure that applies to each red flag. I've also built a duplicate page labeled "global", meaning procedures that apply across the board to all product lines for the bank for easy reference. The written program itself "regurgitates" the requirements of the law, how we handle debit card requests after address changes, vendor oversite, training requirements etc that do not quite fit on the product red flag spreadsheets. Our "program", including the written part as well as the spreadsheets will go to the Audit and Finance committee of the BOD in September, leaving plenty of time prior to the Nov 1 cutoff date for implementation - we are training bankwide in October for ID theft. We have been training bankwide for several years on ID theft on an annual basis. The only difference this year will be that rather than canned computer based training, all will be locally prepared materials driven by our ID Theft program.

As you can see I am reviewing comments on how everyone is putting together their ITPP program. I like your way of the spreadsheet, would you be willing to share? Where did you find the tool on BOL?

Patti C.

Another great resource is the ABA Toolkit for Identity Theft Red Flag Regulation. If you are an ABA member, you can download this from their website: http://www.aba.com

Another great resource is the ABA Toolkit for Identity Theft Red Flag Regulation. If you are an ABA member, you can download this from their website: http://www.aba.com

My bank is not a member of ABA so I can't access the Red Flags toolkit. Does anyone know how I can get it?

I've got my risk portion done but as far as putting it into a written policy I feel like I'm just reiterating my FACT Act policy. Should the written policy identify each product in the risk assessment and outline what the bank is doing? More or less just "prettying up" the risk grid? Any input?

I wouldn't. I would probably just reference it (Appendix A or whatever.)

We started an excel spread sheet with all the red flags listed down one side. Across the top the header includes: Business controls, Data Collected & how data is retained and the escalation or decisions to be made. We are inserting the name of every policy/procedure that covers the red flag and where you can find it. Is this sufficient? It covers everything bank personnel would do without copying and pasting it.

I have a policy statement, as well as the program itself with the risk assessment as an Exhibit. Existing policies/procedures (CIP, Information Security Policy, etc.) are referenced broadly within the program, but I am NOT putting them in as formal exhibits. I may or may not consider putting in other exhibits (a Red Flags Incident Sheet for actual bona fide instances of ID Theft, for example), but only if I get time. Oh yeah, I am including a short "Excutive Summary" (Board training) as a prelude to the ITPP. I will not be putting in a copy of the training as an exhibit.

I just noticed that the BOL tool sample is using the original list of 31 Red Flags vs. the list of 26. Is that something that needs to be corrected or is it ok to use the list of 31 red flags?

I ended up revamping the BOL tool to match the final 26 rules, then added any additionally identified red flags above those 26 by product.